Data Classification Policy - PrivionGRC Security Documentation

Document Information

Company: PrivionGRC, Inc.
Effective Date: October 17, 2025
Version: 1.0
Policy Owner: Matt Fishman, CEO
Review Frequency: Annual

Contact Information

Email: mfishman@priviongrc.com
Location: San Diego, CA

1. Purpose

This policy establishes a framework for classifying and handling data based on sensitivity, value, and regulatory requirements. Proper data classification ensures appropriate protection measures are applied to information assets throughout their lifecycle.

2. Scope

This policy applies to:

All data created, stored, processed, or transmitted by PrivionGRC
All employees, contractors, vendors, and partners
All systems, applications, and devices (cloud and on-premises)
Data in all formats (electronic, physical, verbal)
Customer data processed through PrivionGRC platform

3. Data Classification Levels

3.1 RESTRICTED (Highest Sensitivity)

Definition:

Highly sensitive data requiring maximum protection. Unauthorized disclosure could cause severe harm.

Examples:

Customer personal data (GDPR Article 9 special categories)
- Health information
- Biometric data
- Genetic data
- Racial/ethnic origin
- Political opinions, religious beliefs
- Sexual orientation
- Trade union membership
Authentication credentials (passwords, API keys, tokens)
Encryption keys and certificates
Social Security Numbers (SSN), National Insurance Numbers
Financial account information (bank accounts, credit cards)
Trade secrets and proprietary algorithms

Handling Requirements:

Encryption required at rest (AES-256) and in transit (TLS 1.2+)
Access limited to named individuals only (documented)
Multi-factor authentication (MFA) mandatory
Access logged and monitored continuously
Cannot be stored on personal devices

Cannot be sent via regular email (use secure file transfer)
Watermarked or labeled "RESTRICTED" on all documents
Secure disposal required (crypto-shredding for electronic, cross-cut shredding for physical)
Data Processing Agreement (DPA) required for vendor access

3.2 CONFIDENTIAL (High Sensitivity)

Definition:

Sensitive data requiring strong protection. Unauthorized disclosure could cause significant harm to company or customers.

Examples:

Customer personal data (GDPR Article 6 lawful basis)
- Names, email addresses
- IP addresses
- Job titles, employer
- Purchase history
- Website usage data
Contract terms and agreements
Employee personal information (HR records)
Internal business plans and strategies
Financial reports (internal)
Security assessment reports
Audit findings
Source code (proprietary)

Handling Requirements:

Encryption required in transit (TLS 1.2+)
Encryption recommended at rest
Role-based access control (RBAC)
MFA required for access
Access logged and reviewed quarterly

Can be stored on encrypted company devices only
Email permitted with encryption or within company domain
Labeled "CONFIDENTIAL" on documents
Non-Disclosure Agreement (NDA) required for external sharing
Secure deletion when no longer needed

3.3 INTERNAL (Moderate Sensitivity)

Definition:

Data intended for internal use only. Unauthorized disclosure could cause moderate harm or embarrassment.

Examples:

Internal communications and memos
Employee directory (names, departments, emails)
Meeting notes and presentations (internal)
Draft documents and working files
System documentation (non-security related)
Marketing plans (pre-launch)
Product roadmaps
Vendor lists
Training materials

Handling Requirements:

Authentication required for access
Encryption in transit recommended
Access limited to employees and authorized contractors
Basic access logging

Can be stored on company devices
Email permitted within company domain
Labeled "INTERNAL" on documents
Delete when obsolete (no formal process required)

3.4 PUBLIC (No Sensitivity)

Definition:

Data approved for public disclosure. No harm from unauthorized access.

Examples:

Marketing materials (published)
Press releases
Public website content
Published blog posts
Product documentation (public)
Job postings
Social media content

Handling Requirements:

No special controls required
Can be shared freely
Can be posted on public websites

No encryption required
No access controls required

4. Data Classification Process

4.1 Classification Responsibility

Data Owner

Individual or business unit responsible for data classification

• Determines appropriate classification level
• Reviews classification annually
• Approves access requests
• Authorizes data disposal

Data Custodian

IT/Security team responsible for implementing controls

• Applies technical controls based on classification
• Monitors data access and usage
• Enforces retention and disposal
• Reports violations to Data Owner

Data User

Individual accessing/using data

• Handles data per classification requirements
• Reports suspected misclassification
• Reports security incidents immediately

4.2 Classification Guidelines

Ask these questions to determine classification:

1. What is the worst-case impact of unauthorized disclosure?

• Severe harm to individuals/company → RESTRICTED
• Significant harm or legal liability → CONFIDENTIAL
• Moderate harm or embarrassment → INTERNAL
• No harm → PUBLIC

2. Is this data protected by regulations?

• GDPR special categories (Art. 9) → RESTRICTED
• GDPR personal data (Art. 6) → CONFIDENTIAL
• No regulatory protection → INTERNAL or PUBLIC

3. Who needs access to this data?

• Specific named individuals only → RESTRICTED
• Specific roles/departments → CONFIDENTIAL
• All employees → INTERNAL
• Anyone → PUBLIC

4. What is the business value?

• Critical trade secrets → RESTRICTED
• Competitive advantage → CONFIDENTIAL
• Operational necessity → INTERNAL
• Marketing value → PUBLIC

4.3 Default Classifications

By Data Type:

Data Type	Default Classification	Notes
Customer personal data (special categories)	RESTRICTED	GDPR Article 9
Customer personal data (standard)	CONFIDENTIAL	GDPR Article 6
Authentication credentials	RESTRICTED	Always
Encryption keys	RESTRICTED	Always
Payment card data	RESTRICTED	PCI DSS
Source code	CONFIDENTIAL	Unless open-source
Contracts	CONFIDENTIAL	Unless public filing
Employee HR records	CONFIDENTIAL	Except public directory
Financial reports	CONFIDENTIAL	Unless public company
Marketing materials	INTERNAL	Until published
Product documentation	INTERNAL	Until published

When in doubt, classify as CONFIDENTIAL and escalate to Data Owner.

5. Data Handling Requirements

5.1 Data at Rest

Classification	Encryption	Access Control	Logging	Backup
RESTRICTED	AES-256 (required)	Named individuals	All access	Encrypted daily
CONFIDENTIAL	Recommended	RBAC	Quarterly review	Daily
INTERNAL	Optional	Authentication	Basic	Daily
PUBLIC	Not required	Public	Not required	Not required

5.2 Data in Transit

Classification	Minimum Standard	Approved Methods
RESTRICTED	TLS 1.3 preferred, TLS 1.2 minimum	HTTPS, SFTP, encrypted email
CONFIDENTIAL	TLS 1.2+	HTTPS, SFTP, internal email
INTERNAL	TLS 1.2+	HTTPS, regular email (internal)
PUBLIC	None	Any method

6. Data Lifecycle Management

6.3 Data Retention

Retention Schedule:

Data Type	Retention Period	Legal Basis
Customer data	As specified in DPA + 30 days	GDPR Art. 17
Financial records	7 years	Tax regulations
Employee HR records	7 years after separation	Employment law
Audit logs	1 year (2 years for privileged access)	SOC 2
Contracts	7 years after expiration	Statute of limitations
Marketing materials	Until obsolete	Business need
Source code	Indefinite	Intellectual property

6.4 Data Disposal

Secure Disposal Methods:

Classification	Electronic Data	Physical Media	Physical Documents
RESTRICTED	Crypto-shredding + deletion + verification	Physical destruction (hammer drill)	Cross-cut shredding (DIN P-4+)
CONFIDENTIAL	Secure deletion (overwrite)	Degaussing or destruction	Cross-cut shredding
INTERNAL	Standard deletion	Standard disposal	Shredding or secure bin
PUBLIC	Standard deletion	Standard disposal	Standard disposal

7. Special Data Categories

7.1 Customer Data (GDPR)

All customer data is classified as CONFIDENTIAL minimum (RESTRICTED if special categories).

Requirements:

Data Processing Agreement (DPA) in place
Lawful basis documented (Art. 6 or 9)
Data subject rights honored (access, erasure, portability)
Breach notification within 72 hours
Data transfers outside EU require safeguards (SCCs, BCRs)

7.2 Financial Data

All financial data is classified as CONFIDENTIAL minimum.

Additional Requirements:

SOX compliance (if applicable)
Segregation of duties
Regular audits
Fraud detection monitoring

7.3 Source Code

Proprietary source code is classified as CONFIDENTIAL.

Additional Requirements:

Version control (Git) with access logging
Code review before commit
No public repositories (unless open-source)
Regular security scanning

8. Data Classification Marking

8.1 Electronic Data

Email Subject Lines:

RESTRICTED: [Subject]
CONFIDENTIAL: [Subject]
INTERNAL: [Subject]
(No marking for PUBLIC)

Document Headers/Footers:

RESTRICTED - [Company Name] - [Date]
CONFIDENTIAL - [Company Name] - [Date]
INTERNAL USE ONLY - [Company Name] - [Date]

8.2 Physical Documents

RESTRICTED: Red stamp/label on every page
CONFIDENTIAL: Yellow stamp/label on first page and last page
INTERNAL: "Internal Use Only" on first page
PUBLIC: No marking

9. Training and Awareness

All employees must:

Complete data classification training within 30 days of hire
Complete annual refresher training
Acknowledge this policy annually
Report suspected data misclassification or mishandling

Training includes:

Classification levels and criteria
Handling requirements for each level
Real-world examples and scenarios
Common mistakes and how to avoid them
Incident reporting procedures

10. Compliance and Enforcement

10.1 Monitoring

IT/Security will monitor for:

Unencrypted RESTRICTED/CONFIDENTIAL data
Inappropriate data sharing
Data leakage (DLP - Data Loss Prevention)
Classification violations

10.2 Violations

Policy violations may result in:

First offense: Written warning + retraining
Second offense: Access suspension + manager escalation
Third offense: Termination
Data breach: Regulatory notification + potential fines

12. Related Policies

Information Security Policy
Access Control Policy
Incident Response Policy
Data Retention Policy
Records Management Policy
Privacy Policy (external)

For Questions Regarding This Policy

Contact Matt Fishman, CEO: mfishman@priviongrc.com
San Diego, CA